CVE-2026-6566

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for...

CVE-2026-45776

Open XDMoD (Open XDMoD) versions prior to 11.0.3 are affected when the optional Job Performance (SUPReMM) module is installed. A flaw in access control allows a crafted HTTPS POST to set a session variable used for authorization, enabling an attacker to view other users’ compute job efficiency me...

CVE-2026-9808

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints utilizing API Platform. Under certain conditions, roles configured with owner-scope restrictions such as viewown or editown are not properly enforced. This allows low-privilege authenticated API users to bypass...

CVE-2026-45399

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST...

CVE-2026-24782

Kiteworks is a private data network PDN. Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global...

CVE-2026-42070

Mantis Bug Tracker MantisBT is an open source issue tracker. Prior to 2.28.2, the mcissueupdate function in MantisBT allows users having updatebugthreshold access UPDATER, with default settings to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing t...

CVE-2026-42070

Mantis Bug Tracker MantisBT is an open source issue tracker. Prior to 2.28.2, the mcissueupdate function in MantisBT allows users having updatebugthreshold access UPDATER, with default settings to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing t...

Mantis Bug Tracker 安全漏洞

Mantis Bug Tracker MantisBT is an open-source bug tracker developed by Mantis Bug Tracker. Versions of Mantis Bug Tracker prior to 2.28.2 contained a security vulnerability. This vulnerability stemmed from the mcissueupdate function, which allowed users with the updatebugthreshold permission to...

CVE-2026-48696

FastNetMon Community Edition through 1.2.9 has a buffer overflow, a different vulnerability than CVE-2026-48686 and CVE-2026-48689...

CVE-2026-6566 Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for...

PT-2026-42112

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for...

EUVD-2026-30606

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

azure-ai-generative (>=1.0.0b1 <=1.0.0b3), azure-ai-resources (>=1.0.0b1 <=1.0.0b9) +15 more potentially affected by CVE-2026-2652 via mlflow-skinny (>=3.0.0 <=3.0.1)

mlflow-skinny PYPI version =3.0.0, =1.0.0b1, =1.0.0b1, =0.1.0, =0.1.0, =2.5.0, =0.0.13, =3.0.0, =0.1.0, =0.1.4 and more Source cves: CVE-2026-2652 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-16698136...

Open WebUI 授权问题漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.5.7 had an authorization issue vulnerability. This vulnerability stems from the ability for users to change access permissions during editing, potentially leading to...

Open WebUI 访问控制错误漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.3.16 contained a access control vulnerability. This vulnerability stemmed from the lack of permission checks for file-related API endpoints, which could allow any...

CVE-2026-7619

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of...

CVE-2026-7619

The CVE-2026-7619 entry details an authenticated SQL Injection in the Charitable WordPress plugin (

Incorrect Authorization

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Incorrect Authorization in the mcissueupdate function. An attacker can modify, edit, or change the visibility of bugnotes belonging to other users by leveraging insufficient access control chec...

EUVD-2025-209742

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and...

SysReptor 安全漏洞

SysReptor is an open-source penetration testing report platform developed by Syslifters. Versions of SysReptor from 2026.4 to 2026.27 contained security vulnerabilities. These vulnerabilities stemmed from improper authorization at the endpoints when reading and creating personal note-sharing link...